Security researchers from Assetnote disclosed a pre-authentication remote code execution (RCE) vulnerability in dotCMS. The flaw is tracked with a CVE ID ‘CVE-2022-26352’ is a critical vulnerability that is associated with a directory crawl attack while downloading files that allows the attacker to execute arbitrary commands on underlying systems. It’s possible to achieve code execution by uploading a JSP file to the tomcat’s root directory that leads to command execution. Since the vulnerability causes remote code execution while downloading files, users of dotCMS should be aware of this flaw. Let’s discuss how to fix the RCE vulnerability in dotCMS in this post.
dotCMS is a hybrid CMS built on the leading Java technology. It’s a next-generation platform supporting the flexibility of a headless CMS with the traditional content authoring efficiency. dotCMS empowers both developers and marketers with the ability to create and reuse content for building engaging, connected, and memorable digital products. They provide a community-driven edition of their CMS that is free to download and use.
CVE-2022-26352 is a pre-auth remote code execution vulnerability in DotCMS, which was achievable by performing a directory traversal attack while uploading files. This vulnerability allows an attacker to execute arbitrary commands and is exploitable with DotCMS default configurations.
An attacker can upload arbitrary files to the system by uploading the JSP file to the tomcat’s root directory. It’s possible to achieve code execution that leads to command execution. Attackers may use this vulnerability to overwrite existing files with a web shell. It can subsequently be exploited to attain permanent remote access.
The advisory confirmed this flaw affects dotCMS v22.01 and below. Moreover, this vulnerability may work on 22.02, but it has not been confirmed.
The best way to fix the RCE vulnerability in dotCMS is to upgrade to versions containing fixes for the issue. It includes versions 22.03, 5.3.8.10_lts and/or 21.06.7_lts. Here are recommended ways to mitigate the issue. Click here for more information.
If an upgrade is not an immediate option, dotCMS have developed OSGI-based plugins that can be deployed in your dotCMS environment.
DotCMS have developed an OSGI plugin to mitigate the problem in running instances. This plugin is designed to work with the versions 5.1.6 and the latest and can be found here.
A plugin version has also been developed for users running unsupported, older versions. This plugin should give the same protection as the above plugin. However, it is suggested to validate the plugin in your environment.
This vulnerability does not impact unsupported versions of dotCMS before v4.0. It’s not 100% guaranteed that this issue does not exist in dotCMS versions outside their support lifetime.
The vulnerability can be mitigated by implementing rules prohibiting path traversal requests on some WAF frameworks. For instance, AWS WAF has a ruleset called GenericLFI_BODY that inspects for the presence of local file inclusion exploits in the request body. Such a ruleset can cause issues like preventing files, including relative paths, from being uploaded. The rule is effective in the production environment.
It’s not a complete mitigation technique. If you are not using anonymous content submission, it’s recommended to set CONTENT_APIS_ALLOW_ANONYMOUS=NONE or CONTENT_APIS_ALLOW_ANONYMOUS=READ in your dotmarketing-config.properties. It prevents anonymous access to /API/content, which means the attacker can’t exploit the vulnerability.
We hope this post would help you how to fix the RCE vulnerability in dotCMS (CVE-2022-26352). Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram,and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.